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(54) Title: SECURE ONE-WAY AUTHENTICATION COMMUNICATION SYSTEM 
(57) Abstract 

A protocol for authenticating at least one of a pair of first 
and second correspondents C and T in a data communication 
system, the method comprising the steps of storing a public key in 
the first correspondent C; computing a shared secret by the second 
correspondent T incorporating the public key C; storing the shared 
secret in the first correspondent C; the second correspondent 
T generating a challenge value %\ tne first correspondent C 
transmitting to the second correspondent T information including 
the stored public key C; the second correspondent T computing 2 
a test shared secret from the received public key C; the first 
and second correspondents computing response signals using the 
challenge value % and tne shared secret in a one-way function 
//; and the first correspondent C transmitting the computed 2 
response signal to the second correspondent T whereby the second 
correspondent verifies the first correspondent. 
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5 This invention relates to a protocol for the secure verification of 

correspondents in a data communication system and in particular to the verification of 
at least one of the correspondents having limited computing power. 

BACKGROUND OF THE INVENTION 

10 Traditionally, a mechanical turnstile system was used to restrict the entry of 

persons into or out of a pre-determined area. In order to gain entry, the user is 
required to pay a fee, the fee being in the form of cash, tokens, fee cards or other 
payment medium. These mechanical turnstiles however allow entry without being 
able to identify the persons entering or leaving. In order to monitor users, an operator 

15 is required. 

In order to alleviate this problem electronic card entry and exit systems were 
devised. In these types of systems, a user is issued with an identification card 
beforehand which is then inserted into a card reader and upon positive verification 
will allow entry via a locked door or similar barrier thus obviating the need for an 

20 operator. A disadvantage of this system is that for a large number of users, a database 
has to be maintained listing each of the users, particularly if each user has a unique 
identification then the verification system is required to scroll through each of the 
records to find a matching identity. Secondly, this system is also inconvenient if there 
are a large number of users entering a particular location at a given time such as a 

25 public transit way, the insertion and withdrawal of cards from a card reader is apt to 
cause bottlenecks at the entrance way. 

Transit systems have been devised in which users are provided with a pre- 
programmed smart card. In this system, the turnstile or a terminal is able to monitor 
the smart card remotely thus the user simply walks past the turnstile without having to 

30 physically insert the card in a slot. The card is generally activated by the presence of 
a electromagnetic field generated by the terminal, the card then transmits an 
appropriate identification back to the terminal which verifies the card identification 
and allows entry of the user. These cards generally have limited computing power 
and are not able to perform complex computations. It is also desirable to authenticate 

35 these cards to prevent duplication or fraudulent entry. Because the cards have limited 
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computing power, it is necessary to implement a authentication protocol that 
minimizes the computation performed by the card and furthermore is able to provide 
verification of the card by the terminal in a very short period of time, generally less 
than one second. 

5 

SUMMARY OF THE INVENTION 

This invention seeks to provide a solution to the problem of card verification 
between a terminal and a card where the card device has limited computing power. 

According to one aspect of this invention there is provided a method of 
1 0 authenticating at least one of a pair of correspondents T and C in an information 

exchange session, and wherein one of the correspondents T includes a secret key t and 
the other correspondent C has a public key C and a shared secret value tc derived 
from said public key C and said secret key t the method comprising the steps of: 

the first correspondent C transmitting to the second correspondent T said 
15 public key C; 

the second correspondent T generating a challenge value % and transmitting 
said challenge value % to said first correspondent C; 

said second correspondent T generating a session shared secret value ss by 
combing said private key t with said public key C of said first correspondent C; 
20 said second correspondent T generating a response test value k t by combining 

said session shared secret ss with said challenge in a mathematical function //; 

said first correspondent C generating a response value kc by combining said 
shared secret t c with said challenge value % in said mathematical function fi and 
sending said response value k c to said second correspondent T; and 
25 said second correspondent T comparing said response test value k t to said 

challenge response value k c to verify said first correspondent C. 

A further aspect of this invention provides for said public key C being 
included in a certificate Certc , whereby the second correspondent verifies the 
certificate on C and the identity of the first correspondent C before generating the 
30 challenge %. 

In accordance with a further aspect of this invention the mathematical function 
fi is a one way function. 

2 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Embodiments of the present invention will now be described by way of 
example only with reference to the accompanying drawings in which: 

Figure 1 is a schematic representation of a communication system; and 
5 Figure 2 is a flow chart showing a verification protocol according to the 

present invention. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

In the following description like numerals referred to like elements. Referring 

10 to figure 1, a transit control system is shown generally by numeral 10. In the system, 
a user 12 carries an identification card 14. A terminal including a c^rd reader is 
provided for remote monitoring of card carrying users 12. The terminal 16 
communicates with cards in a given area of proximity via, for example, 
electromagnetic means 18. These systems are readily available and will not be 

1 5 discussed further. 

In the context of the present data communication system, the card and terminal 
are designated a pair of first and second correspondents C and T respectively. 
Depending upon the reading mechanism employed, the card generally is powered 
when brought in proximity to the magnetic field generated by the terminal 1 8. The 

20 card 14 contains a low power processing unit which is at least capable of performing 
simple calculations. In a typical data communication session, the card assembles a 
data string, which when assembled is transmitted to the terminal. 

At system set-up, i.e. when a card is issued to a user, an encryption scheme is 
chosen and appropriate system parameters are defined. In the following example an 

25 elliptic curve encryption scheme is used. The details of encryption schemes will not 
be discussed as they are well known in the art. However, if the elliptic curve 
encryption system is being utilized, then a public value C = cP, is computed where P 
is a generator point on the elliptic curve. The public value C is signed by a certifying 
authority (CA) to produce a certificate Cert c , containing the public key C and 

30 identification of the card C and stored in the card 14. A shared secret tc = tC is 
calculated where t is a secret key known to the terminal T. This shared secret tc is 
stored in the card within a secure boundary. Thus after the system set-up phase, the 
card contains a certificate Certc and a shared secret tc. 

3 
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Referring now to figure 2, a protocol according to an embodiment of the 
present invention is shown generally by numeral 200. When the user 12 carrying the 
card 14 is in proximity to the terminal 18, the card detects the terminal 210 and sends 
its certificate Cert c to the terminal T. Similarly when the terminal detects the card 214 
5 it waits for a certificate Cert c 216. When the terminal receives the certificate, it 

verifies the certificate using the CA's public key 218. If the certificate is not verified, 
a rejection signal is generated which may be used to alert or signal an appropriate 
barrier or event. However if the certificate is verified the terminal extracts the public 
key C of the card from the certificate 220. The terminal then generates a challenge # 

10 222, which may be a large integer, or any suitable bit string. This challenge % is then 
sent to the card 224. At the same time the terminal computes a shared secret ss = tC 
and computes a challenge response verification value k T = fj(x » ss), where fj is a one- 
way function such as a secure hash function or one derived from the data encryption 
standard (DES). The card upon receipt of the challenge % also computes its challenge 

15 response kc by applying a one-way function f } to the challenge value % an d the shared 
secret t c to calculate k c =//(#, t c ). This challenge response value k c is then sent back 
to the terminal 232 where it is verified 234 by the terminal comparing k t to kc. If 
these values are equal then the card is verified. 

It may be seen thus that the purpose of the challenge # is to know that the card 

20 has the shared secret tc, otherwise the data communication system is open to replay 
attack, where an observer watches for the kc and may send it back at a later time. 
Furthermore it may be seen from the system that the terminal does not have to 
maintain a record of secret keys for each card authorized in the system. The 
advantage of this may well be appreciated when for example the card is a public rail 

25 transit card identification and the terminal has to maintain records for each of 

approximately a few hundred thousand users. Thus the present invention avoids this 
disadvantage. 

In a further embodiment, the card may at step 230 in producing the challenge 
response compute a value k s i g —fi(x 9 tc, m) where m is a message to be signed by the 
30 card. The card may then concatenate the challenge response k S i g with the message and 
sends this to the terminal. In this instance, the card is both authenticated and a 
message generated by the card is signed. 
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In a still further embodiment, the card may be authenticated as well as send an 
encrypted message. In this instance, the card calculates its challenge response value 
kenc = fiOf 5 ss) and using this value as a key to calculate an encrypted value of a 
message m using for example a DES or DESX such that E = Eicenc On). In this 
5 instance the card is implicitly authenticated with the encrypted message. This may be 
useful for example when the card sends a P.LN. back to the terminal. 

In a further embodiment, the system rather than utilizing a single value of t, 
may use many values of t, i.e. t\ thus producing many shared secrets ss(ti). In this 
instance, the card will send with its certificate the index i so that the terminal may 
10 extract the appropriate ti to compute its shared secret as shown in step 226 figure 2. 

In the above examples, the shared secret ss = tc was for an elliptic curve 
implementation. For a finite field implementation, the shared secret may be 
calculated as ss = C T . Furthermore a more generalized form of the shared secret is a 
function combining the values of the terminals private key t and the cards public key 
15 C using a cryptographic function fj (t, C). 

While the invention has been described in connection with the specific 
embodiment thereof, and in a specific use various modifications thereof will occur to 
those skilled in the art without departing from the spirit of the invention as set forth in 
the appended claims. In general, this invention has application to situations where 
20 authenticated access to goods and services are required or where entry is to be 
controlled. 

The terms and expressions which have been employed in this specification are 
used as terms of description and not of limitations, there is no intention in the use of 
such terms and expressions to exclude any equivalence of the features shown and 
25 described or portions thereof, but it is recognized that various modifications are 
possible within the scope of the claims to the invention. 
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WE CLAIM: 

1 . A method of authenticating at least one of a pair of first and second correspondents 
C and T in a data communication system, said method comprising the steps of : 
storing a public key in said first correspondent C; 

computing a shared secret by said second correspondent T incorporating said public 
keyC; 

storing said shared secret in said first correspondent C; 
said second correspondent T generating a challenge value 

said first correspondent C transmitting to the second correspondent T information 
including said stored public key C; 

said second corespondent T computing a test shared secret from said received public 
key C; 

said first and second correspondents computing response signals using said 

challenge value % and said shared secret in a one-way function /}; and 

said first correspondent C transmitting said computed response signal to said second 

correspondent T whereby said second correspondent verifies said second 

correspondent. 

2. A method as defined in claim 1, including said first correspondent C transmitting a 
signed message m with said response. 

3. A method as defined in claim 2, including signing said message with said one way 
function. 

4. A method as defined in claim 3, said signed message being included with said 
computed response and concatenated with said message for transmission. 

5. A method as defined in claim 1, including said first correspondent C encrypting a 
message m in accordance with a symmetric key scheme, wherein said symmetric key 
is derived from said computed response value and transmitting said encrypted 
message to said second corespondent T. 

6 
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6. A method as defined in claim 5, said signature scheme is an RSA type signature 
scheme. 



7. A method as defined in claim 1, said shared secret being computed by said second 
corespondent T by utilizing its secret key and the public key C. 

8. A method as defined in claim 1, said second corespondent T having a plurality of 
private keys tj corresponding to respective first correspondents; 

receiving from said first correspondent C an identification index i ; and 

using said corresponding private key ti and the public key C to compute a shared 

secret ssj. 

9. A method as defined in claim 1, said public key scheme being an elliptic curve 
scheme. 

10. A method as defined in claim 1, said public key scheme being an RSA type scheme. 

11. A method of authenticating at least one of a pair of correspondents T and C in an 
information exchange session, and wherein one of the correspondents T includes a 
secret key t and the other correspondent C has a public key C and a shared secret 
value t c derived from said public key C and said secret key t ? the method comprising 
the steps of: 

the first correspondent C transmitting to the second correspondent T information 
including said public key C; 

the second correspondent T generating a challenge signal % and transmitting said 
challenge signal % to said first correspondent C; 

said second correspondent T generating a session shared secret ss by combing said 

private key t with said public key C of said first correspondent C; 

said second correspondent T generating a response signal k t by combining said 

session shared secret ss with said challenge signal in a mathematical function f } \ 

said first correspondent C generating a response value k c by combining said shared 

secret tc with said challenge value % in said mathematical function // and sending 

said response value k c to said second correspondent T; and 

7 
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said second correspondent T comparing said response test value k t to said challenge 
response value kc to verify said first correspondent C. 

12. An article of manufacture comprising: 

a computer usable medium having computer readable program code embodied 
therein for authenticating at least one of a pair of correspondents T and C in an 
information exchange session, and wherein one of the correspondents T includes a 
secret key t and the other correspondent C has a public key C and a shared secret 
value t c derived from said public key C and said secret key t ? the computer readable 
program code in said article of manufacture comprising; 

computer readable program code configured to cause a computer to generating a 
challenge signal % and transmitting said challenge signal % to said first correspondent 
C in response to a received public information from said first correspondent ; 
computer readable program code configured to cause a computer to generating a 
session shared secret ss by combing said private key t with said public key C of said 
first correspondent C; 

computer readable program code configured to cause a computer to generate a test 
response signal k t by combining said session shared secret ss with said challenge 
signal^, in a mathematical function fi\ 

computer readable program code configured to cause a computer to compare said 
response test signal k t to a received response value k c from said first correspondent 
to verify said first correspondent C. 



8 
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